Open source code security has been in the spotlight since the Heartbleed bug infected the Canada Revenue Agency website last year. Found embedded in OpenSSL, one of the Web’s most common security systems, Heartbleed sent public-sector IT personnel scrambling to test their agencies’ websites to make sure they were clean and protected.
But now elected officials are wading into the issue. Federal lawmakers have drafted legislation to help ensure Uncle Sam is buying clean software.
Reps. Ed Royce, R-Calif., and Lynn Jenkins, R-Kan., introduced H.R. 5793, the Cyber Supply Chain Management and Transparency Act of 2014, on Dec. 4. The bill requires vendors to provide procuring agencies with a list of all open source and third-party components embedded in their software and demonstrate they have no known cybersecurity issues. In addition, the measure directed the Office of Management and Budget (OMB) to draft guidelines for agencies to follow in the event security risks in the software are found.
Progress on the issue was short-lived, however. H.R. 5793 was shelved at the end of 2014, as the 113th U.S. Congress ended. But despite the legislation’s laudable goal, some industry experts believe its quick death could be a blessing in disguise.
Trey Hodgkins, senior vice president for public sector at the IT Alliance for Public Sector (ITAPS), told Government Technology that while he expects open source code security will remain an issue in 2015, H.R. 5793 was “kind of draconian” and repetitive of security measures many companies already undertake on their own.
Hodgkins explained that how open source products are incorporated into software solutions is a “complex process,” and companies already have a vested interest in maintaining the integrity of their brands by shoring up potential security holes at the outset.
“They have a number of internal proprietary processes they use to ensure that integrity, and the focus that they’ve had in the past is to determine what they’re doing [now] and how that fits into and satisfies concerns,” Hodgkins said. “That’s what those companies want us to look at first, rather than proposing something that is not necessarily in the same vein of what they are doing already.
“We didn’t think this approach was the best approach to address this issue, and we shared that with the authors in the waning days of Congress last year,” he added.
When asked to describe the alternatives the industry suggested to Royce and Jenkins, Hodgkins didn’t elaborate.
Royce’s office did not return Government Technology’s inquiry on the bill. When reached via email, Thomas Brandt, communications director for Rep. Jenkins, didn’t provide any details on Jenkins’ thoughts on the matter, referring questions about potentially re-introducing the legislation to Royce.
But Jenkins did cite her concern over the nation’s cyberinfrastructure and security of HealthCare.gov as two of the factors behind her initial interest in the topic, in a Dec. 4 joint statement with Royce on H.R. 5793.
“The problem is not limited to one website; the entire federal government lacks guidelines for website security,” Jenkins said. “This vital legislation will put the appropriate checks and balances in place to ensure that the government has the tools it needs to create a more sound and secure system for taxpayers.”
Government Technology will continue to monitor developments on the issue.